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COMPUTER VIRUS SCREENING METHODS AND SYSTEMS 

Technical Field 

The present invention relates to methods and 
systems for detecting a computer virus in computer 
data . 

Background of the Invention 

Many computer users have virus screening and 
detection software installed on their computers. Such 
software directs a computer to screen computer data 
received from diskettes and/or downloaded from online 
services. If a virus or a like deleterious program is 
detected, the software directs the computer to remove 
the virus from the computer data. If undetected, a 
virus in a computer file can infect other computer 
files to produce various unwanted results. 

Subsequent revisions of virus screening software 
are created and released as additional computer viruses 
are discovered. Consequently, each computer user has 
to repeatedly upgrade the virus screening software 
installed on his/her computer to ensure protection from 
recently-discovered viruses . 

Brief Description of the Drawings 

The invention is pointed out with particularity in 
the appended claims. However, other features of the 



invention will become more apparent and the invention 
will be best understood by referring to the following 
detailed description in conjunction with the 
accompanying drawings in which: 

FIG. 1 is a block diagram of a virus-screening 
telecommunication system in accordance with the present 
invention; 

FIG. 2 is a block diagram of an example of a 
virus-screening telephone network; 

FIG. 3 is a flow chart of an embodiment of a virus 
screening method in accordance with the present 
invention; 

FIG. 4 is a flow chart of an embodiment of a 
method of screening the computer data for at least one 
virus; 

FIG. 5 is a flow chart of an embodiment of a 
method of creating a model of a client computer; 

FIG. 6 is a flow chart of an embodiment of a 
process to intercept and fulfill a read request; 

FIG. 7 is a flow chart of an embodiment of a 
process to intercept and fulfill a write request; 

FIG. 8 is a schematic diagram of a first 
alternative embodiment of a virus screening system; 

FIG. 9 is a schematic diagram of a second 
alternative embodiment of a virus screening system; 

FIG. 10 is a schematic diagram of a third 
alternative embodiment of a virus screening system; and 

FIG. 11 is a schematic diagram of a fourth 
alternative embodiment of a virus screening system. 



Detailed Description of a Preferred Embodiment 



Embodiments of the present invention 
advantageously screen computer data for viruses within 
a telephone network before communicating the computer 
data to an end user. As a result, end users can 
download computer data via the telephone network 
without concern of receiving various predetermined 
computer viruses. 

For this application, the term "virus" should be 
construed as inclusive of computer viruses, worms, 
trojan horses, and other like deleterious data. 

FIG. 1 is a block diagram of a virus-screening 
telecommunication system in accordance with the present 
invention. The telecommunication system includes a 
telephone network 10 to serve a plurality of telephone 
lines 12. Preferably, the telephone network 10 
includes a public telephone network such as a public 
switched telephone network to communicate signals 
between pairs of telephone lines. Alternatively, the 
telephone network 10 includes a private telephone 
network or a virtual private telephone network to 
communicate signals between pairs of telephone lines. 
Regardless of its form, the telephone network 10 can 
include any combination of one or more end offices, 
central offices, tandem offices, switching offices, 
service switching points (SSPs) , signal transfer points 
(STPs), service control points (SCPs), and/or other 
nodes to communicate signals between pairs of telephone 
lines . 



Typically, each of the telephone lines 12 
communicates to at least one end station at a 
corresponding customer premise. Examples of end 
stations include, but are not limited to, teleohones, 
facsimile machines, and computers. The telephone lines 
12 can include digital telephone lines to communicate 
digital signals to various ones of the customer 
premises, and/or analog telephone lines to communicate 
analog telephone signals to others of the customer 
premises. 

For purposes of illustration, the telephone lines 
12 include a telephone line 14 in communication with a 
computer 16, a telephone line 20 in communication with 
a computer 22, and a telephone line 24 in communication 
with a computer 26. Although not specifically 
illustrated, it is noted that the telephone lines 12 
can further include a multitude of additional telephone 
lines in communication with additional end stations. 

Typically, the telephone network 10 provides a 
communication path between a telephone line associated 
with a calling party and telephone line associated with 
a called party. In this case, the telephone network 10 
receives a telecommunication code associated with the 
called party (e.g. a telephone number of the called 
party) from the calling party. For example, a modem 
associated with the computer 22 may dial a telephone 
number associated with the telephone line 24 to 
initiate communication with the computer 26. 

The telephone network 10 provides the 
communication path between the calling party and the 



called party in response to receiving the 
telecommunication code. Continuing with the 
aforementioned example, the telephone network 10 
provides a communication path between the telephone 
line 20 and the telephone line 24 in response to 
receiving the dialed telephone number. 

In the aforementioned example and other computer 
communication applications, the telephone network 10 
receives signals representative of computer data from a 
first party for transmission to a second party. The 
signals can include digital signals such as those from 
an ISDN line, or analog signals such as those generated 
by a modem. 

Before communicating the computer data to the 
second party, the telephone network 10 screens the 
computer data for at least one virus. In general, the 
computer data can be screened at any node in the 
telephone network 10. For example, the computer data 
can be screened at an end office, a central office, a 
tandem office, a service switching point, or any other 
switching office which provides a communication path 
between the first party and the second party. 
Alternatively, the computer data can be screened by a 
remote processor which serves one or more end offices, 
central offices, tandem offices, service switching 
points, or other switching offices of the telephone 
network 10. 

If no viruses are detected in the screening step, 
the computer data are communicated to the second party. 
If a virus is detected in the computer data, the 



telephone network 10 can perform one or more actions 
including but not limited to: (i) inhibiting 
communication of at least a portion of the computer 
data to the second party; (ii) removing the virus from 
the computer data prior to transferring the data to the 
second party; (iii) communicating a message indicating 
that a virus was detected to the second party; (iv) 
communicating a message indicating that a virus was 
detected to the first party; and (v) writing data to a 
database indicating that a virus was detected, A 
preferred embodiment of a virus screening method is 
subsequently described in detail with reference to FIG. 
3. 

In this way, the telephone network 10 provides a 
virus screening service to automatically screen 
computer data for viruses. By screening the computer 
data for specific viruses prior to its delivery to an 
end user, the computer data need not be screened for 
those viruses by the end user's computer. Preferably, 
the telephone network 10 is capable of providing the 
virus screening service to a plurality of 
contemporaneous calls . 

The virus screening service may be selectively 
provided only to telephone lines subscribing thereto. 
For example, an end user may subscribe to a virus 
screening service to screen all computer data directed 
to his/her telephone line from Internet service 
providers, online services, computer servers, and other 
dial-up computers. Alternatively, a service provider 
may subscribe to the virus screening service to protect 



its users from computer viruses by screening its 
transmitted computer data. In either of these cases, 
the telephone network 10 can include a database which 
determines whether or not the virus screening service 
is applied to data communicated in a telephone call. 

Virus screening can be facilitated in the 
telephone network 10 using either a conventional 
telephone network processor adapted to run associated 
virus screening software or an additional processor 
which runs virus screening software. For a circuit- 
switched connection between the two parties, the 
telephone network 10 determines and secures an 
appropriate path for the duration of the call. If 
virus screening is to be applied, the path can be 
determined to include a route through a processor which 
examines the contents of information being passed 
during the call. In general, the processor can examine 
data packets carried by either a modulated analog 
signal or as part of an ISDN payload. If virus 
screening is not to be applied to the call, the routing 
of the call may differ so as not to employ the 
processor. 

The processor can augment conventional circuit- 
switched network elements, and may be located anywhere 
in the telephone network 10. The processor can be 
housed with a central office using a heavy duty line 
card, for example, or can be associated with an AIN 
(Advanced Intelligent Network) node. 

Before describing a preferred embodiment of a 
virus screening method in accordance with the present 
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invention, an example of the telephone network 10 :c 
'Screen computer data is described with reference zz 
FIG. 2. 

FIG. 2 is a block diagram of an example of a 
virus-screening telephone network. The telephone 
network includes an end switching office 40 serving 
telephone lines 42, 44, and 46, and an end switching 50 
serving telephone lines 52, 54, and 56. The end 
switching offices 40 and 50 communicate either directly 
or via a tandem switching office 60. 

The telephone line 42 is associated with a server 
computer 62. The server computer 62 can be associated 
with an Internet service provider, an online service, 
or another dial-up computer, for example. For example, 
although not specifically illustrated, the Internet 
service provider can comprise a gateway to communicate 
with the server computer 62 via the Internet, and a 
modem bank to couple the gateway to the telephone line 
42. Additionally, the Internet service provider can 
provide various firewalls, directory servers, and other 
known features. 

The telephone lines 44 and 46 are associated with 
client computers 64. and 66, respectively. The client 
computers 64 and 66 can be associated with end users of 
one or more Internet service providers, online 
services, or other dial-up computers, for example. 

The telephone lines 52 and 54 are associated with 
server computers 72 and 74, respectively. The server 
computers 72 and 74 can be associated with other 
Internet service providers, online services, or dial-up 



computers, for example. The telephone line 56 is 
- associated with a client computer 76. The client 
computer 76 can be associated with another end user of 
one or more Internet service providers, online 
services, or other dial-up computers, for example. 

Associated with the end switching office 40 is a 
computer including a processor 80 to screen computer 
data received thereby for a. plurality of viruses. Also 
associated with the end switching office 40 is a 
database 82 indicating which of the telephone lines 42, 
44, and 46 subscribe to the virus screening service. 
For purposes of illustration and example, the database 
82 includes a record 84 indicating that all computer 
data directed to the telephone line 44 is to be 
screened for viruses. 

The end switching office 50 has a computer 
including a processor 90 associated therewith to screen 
computer data for a plurality of viruses. The end 
switching office 50 performs call processing operations 
responsive to a signal control point (SCP) 92. The 
signal control point 92 includes a database 94 
indicating which of the telephone lines 52, 54, and 56 
subscribe to the virus screening service. For purposes 
of illustration and example, the database 94 includes a 
record 96 indicating that all computer data received 
from the telephone line 54 is to be screened for 
viruses . 

In this example, the processor 80 associated with 
the end switching office 40 screens all computer data 
to be directed to the telephone line 44. Hence, the 
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end user associated with the telephone line 44 car. 
connect to and download data from the server computers 
62, 72, and 74 without concern of receiving various 
predetermined computer viruses. The processor 90 
associated with the end switching office 50 screens ai 
computer data communicated along the telephone line 54 
from the server computer 72. Hence, end users 
associated with the telephone lines 44, 46, and 56 can 
connect to and download data from the server computer 
72 without concern of receiving various predetermined 
computer viruses. 

It is noted that the tandem switching office 60 
can include a virus-screening processor, if desired. 
In this case, the processor selectively screens 
computer data communicated between the end switching 
offices 40 and 50. 

As is well known, each of the virus-screening 
processors can have one or more associated modems to 
modulate computer data for transmission, and to 
demodulate received computer data. 

The herein-described virus-screening processors 
can provide or assist in providing a proxy server or a 
functional equivalent of a proxy server. As 
subsequently described in more detail, the virus- 
screening processors can re-partition received data, 
e.g. create new packets based upon received packets, 
before communicating data to the client computer. In 
these cases, the virus-screening processor can create 
and communicate modified protocol-specific information 
such as a number of packets to be received, error 
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detection and correction information, and packer serial 
numbers . 

Preferably, each virus-screening processor has an 
associated memory device to store at least two packets. 
As subsequently described herein, the virus-screening 
processor can receive a packet and determine whether 
the packet can be immediately forwarded to the client 
computer, or if the packet is to be stored in the 
memory device for further analysis. 

FIG. 3 is a flow chart of an embodiment of a virus 
screening method in accordance with the present 
invention. As described earlier, the virus screening 
method can be performed at any node of a telephone 
network. 

As indicated by block 100, the method includes a 
step of receiving a telecommunication code from a 
calling party. Typically, the telecommunication code 
includes dialing digits such as a telephone number 
associated with a called party. 

As indicated by block 102, the method includes a 
step of determining if at least one of the calling 
party and the called party is a subscriber to a virus 
screening service. This step can include sending a 
query to a database, and receiving a call-handling 
message in response to the query, preferably using the 
facilities of an Advanced Intelligent Network. The 
query can include an identification code of the calling 
party and/or an identification code of the called 
party. 
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The call-handling message can include an 
indication of whether or not virus screening is zc be 
applied for a call between the calling party and the 
called party. Further, the call-handling message can 
include an indication of whether or not virus-screeninc 
is to be applied unidirectionally from the caliina 
party to the called party, unidirectionally from the 
called party to the calling party, or bidirectionally 
between the calling party and the called party. 

As indicated by block 104, the method includes a 
step of routing a call between the calling party and 
the called party. The call is directed to the called 
party based upon the telecommunication code received 
from the calling party. 

It is noted that routing of the call through the 
telephone network 10 can differ depending on whether or 
not virus screening is to be applied. If virus 
screening is to be applied to a call, for example, the 
SCP 92 can direct: the call to be routed through a 
network node appropriately equipped for virus 
screening. This is of particular interest if virus 
screening is not offered at a central office 
communicating the call. Alternatively, if a customer 
does not want virus screening to be applied, or if the 
call is not being directed to a telephone number known 
to require screening, then a more direct, less 
expensive route can be selected. 

As indicated by block 106, the method includes a 
step of receiving computer data from a first party of 
the called party and the calling party. The step of 
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receiving the computer data can include receiving a 
signal which encodes the computer data . The signal car 
include a digital signal or an analog signal encoding 
the computer data. Optionally, the step of receiving 
the computer data includes demodulating the signal to 
recover the computer data encoded thereby. 

In many applications, the computer data has an 
executable program and/or an installation program 
associated therewith. The installation program can be 
either included in the computer data (e.g. a custom 
installer program) or absent from the computer data 
(e.g. a generic installer program). The generic 
installer program typically resides on the client 
computer prior to receiving the computer data (e.g. the 
generic installer program can be bundled with the 
operating system) . 

If virus screening is not to be applied to the 
call, a step of communicating the computer data to a 
second party of the called party and the calling party 
is performed as indicated by block 110. The step of 
communicating the computer data can include modulating 
a signal based upon the second computer data to form a 
modulated signal, and communicating the modulated 
signal to the second party. 

If virus screening is to be applied to the call, a 
step of screening the computer data for at least one 
virus is performed as indicated by block 112. 
Preferably, the step of screening the computer data 
includes screening the computer data for a plurality of 
predetermined computer viruses. This step can include 



a step of storing one or more packets or blocks of 
computer data to facilitate virus scanning over a 
plurality of packets or blocks. A preferred embodiment 
of a method of screening the computer data is described 
with reference to FIG. 4. 

If no virus is detected, the computer data is 
communicated to the second party as indicated by block 
110. If a virus is detected, at least one of the steps 
indicated by blocks 114, 116, 118, 120, and 122 is 
performed. 

Typically, the computer data is comprised of a 
plurality of data packets. After examining the 
contents of one of the data packets, the packet can be 
either immediately forwarded to the second party or 
held for further analysis. Several packets can be held 
before being forwarded to the second party so that 
their contents can be examined as a group (which may be 
required using the method described with reference to 
FIG. 4). By examining several packets, a virus 
signature which extends over the boundary of a single 
packet can be detected. 

Block 114 indicates a step of inhibiting 
communication of the computer data to the second party. 
By performing this step, the computer data which 
contains the virus is blocked from being transferred to 
the second party. 

Block 116 indicates a step of communicating a 
message to the second party indicating that a virus was 
detected. Optionally, the message includes an 
indication of which virus was detected. Preferably, 



the message is in an HTML (hypertext marking Language} 
format to facilitate display using a wide variety of 
client software programs (such as Internet browser 
programs) using a wide variety of operating systems 
(e.g. MacOS, Windows 95, and Windows NT). 

Block 118 indicates a step of communicating a 
message to the first party indicating that a virus was 
detected. Optionally, the message includes an 
indication of which virus was detected. 

Block 120 indicates a step of writing data to a 
database indicating that a virus was detected. This 
step is beneficial in applications where a message 
cannot be readily accepted by the first party. An 
example of such an application is where the first party 
includes a server which only downloads data. The 
message can include an indication of which virus was 
detected, and a date and a time of detecting the virus. 
The first party can subsequently access the database to 
determine if any viruses were detected. 

Block 122 indicates a step of removing the virus 
from the computer data to form second computer data. 
Thereafter, the second computer data is communicated to 
the second party in the step indicated by block 110. 
These steps act to clean the computer data prior to 
communicating the data to the second party. 

The step of communicating the second computer data 
(block 110) can also include appropriate modification 
of information, such as that which pertains to error 
correction that was encoded in the original data but 
which is no longer descriptive of the new data. This 
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step can also include ensuring the integrity of the 
physical transport layer, as is well known by those 
having ordinary skill in the art. 

The step of communicating the second computer data 
can include generating a signal based upon the second 
computer data, and communicating the signal to the 
second party. The signal can be generated in 
accordance with a format for a digital line (e.g. ISDN, 
Tl, and xDSL) . Alternatively, the signal can be 
generated by modulating a signal based upon the second 
computer data to form a modulated signal. The 
modulated signal can be communicated to the second 
party using an analog line. 

After performing the step indicated by block 110 
or at least one of the steps indicated by blocks 114, 
116, 118, 120, and 122, flow of the method can be 
directed back to block 106 to receive further computer 
data, or to block 124 wherein the call is terminated. 
After the call is terminated, flow of the routine can 
be directed back to block 100 to facilitate a 
subsequent call. The subsequent call can have the same 
calling party or a different calling party, and can 
have the same called party or a different called party. 

FIG. 4 is a flow chart of an embodiment of a 
method of screening the computer data for at least one 
virus. As indicated by block 200, the method includes 
a step of removing transmission-specific data from the 
computer data to form second data. Preferably, the 
transmission-specific data which are removed include 
headers and checksums within the computer data. 
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If the computer data is formatted in accordance 
with a point-to-point protocol (PPP) or another high- 
level data link control (HDLC) , the virus-screening 
processor runs PPP to separate the information field or 
payload from the framing fields. The framing fields 
which are removed can include a begin flag, an address 
field, a control field, a protocol field, a frame check 
sequence field, and an end flag. 

The payload within the information field may be 
formatted in accordance with an other protocol, such as 
an internet protocol (IP). In this case, the payload 
includes the follow fields: a version, a header length, 
a type of service, a total length, an identification 
field, flags, fragment offset, time to live, protocol, 
header checksum, source internet address, destination 
internet address, options and padding, and data. The 
virus-screening processor can run IP to remove all 
fields but the data field. 

If the computer data is received in accordance 
with TCP (transmission control protocol), the virus- 
screening processor runs TCP to ensure that packets 
communicated within the data field are received in a 
correct sequence, and to request re-transmission of any 
lost or corrupted packets. If the another protocol 
such as FTP (file transfer protocol) is built on top of 
TCP, the virus-screening processor runs FTP to further 
process the data to form the second data. 

Copies of both the original computer, data and the 
second data are maintained. The original computer data 
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and the second data can be maintained in a memcry 
associated with the virus-screening processor. 

As indicated by block 202, a step of decompressing 
the second data is performed if the second data is 
compressed. As indicated by block 204, a step of 
decrypting the second data is performed if the second 
data is encrypted. By performing these steps, third 
data is produced which is decompressed and decrypted. 

As indicated by block 206, the method includes a 
step of creating or otherwise providing a model of a 
client computer. The model is provided by a virus 
screening computer other than the client computer. The 
virus-screening computer includes the herein-described 
virus-screening processor and its associated memory. 

The model is loaded with the third data (which is 
the same as the second data if the second data is 
uncompressed and not encrypted) . If the third data 
includes an executable program such as an installation 
program or a plug-in program for a Web browser, the 
executable program is installed. The installation 
program can be either generic or part of the third 
data. An embodiment of a method of creating the model 
is described with reference to FIG. 5. 

FIG. 5 is a flow chart of an embodiment of a 
method of creating a model of a client computer. As 
indicated by block 210, a step of determining basic 
parameters of the client computer is performed. The 
parameters can include a version of an operating 
system, a hardware type, registry information, 
configuration information, and information from 
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initialization files such as x \ini" files. The 
parameters are used in subsequently described interceot 
routines . 

The parameters can be determined when a customer, 
subscribes to a virus-screening service, and maintained 
by a database. The parameters in the database can also 
be updated from time to time by communicating with the 
client computer. 

As indicated by block 212, a step of executing the 
installation program is performed. The installation 
program is executed using the virus-screening processor 
and its associated memory. 

As indicated by block 214, a step of intercepting 
read requests generated by the installation program is 
performed. Typically the read requests include 
requests for information about the environment of the 
client computer. 

In response to each request, a step of providing a 
reply message to the installation program is performed 
as indicated by block 216. The reply message is 
generated by gathering information from the model of 
the client computer, and passing the information to the 
installation program. 

The model is at least partially created by one or 
more of the following steps: (i) requesting the 
information from the client computer; (ii) obtaining 
the information from the model if the information was 
created or altered by the installation program; and 
(iii) requesting the information from a pre-existing 
image of the client computer. The pre-existing image 
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of the client computer mimics the state of the client 
computer by maintaining a copy of settings and data 
stored to the client computer. By requesting the 
information from the pre-existing image, the 
information can be gathered locally rather than by " 
communicating with the client computer. 

When the installation program attempts to change 
the environment of the client computer using a write 
request, the write request is intercepted (block 218) 
and changes are made only to the model of the client 
computer stored in the memory {block 219) . In this 
way, the environmental changes attempted by the 
installation program are cached. If the installation 
program later attempts to read those changes, the read 
requests are intercepted and directed to the cache 
rather than to the client computer. 

The processing of read and write requests is 
performed in an order determined by the execution of 
the installation program. For example, an operating 
system may change an order of write requests depending 
on an object to which a write request is directed. If 
an operating system queues. write requests to several 
devices, the actual order in which the write operations 
are performed may differ based upon how busy or how 
fast the devices are. An operating system may also 
vary the order of read requests depending on system or 
device status. The order of read requests can be 
varied using an intelligent look-ahead since one read 
request may fetch data for another read request. In 
general, the order of read and write requests can vary 



from one execution ic another based upon interaction 
between the installation program and the model of the 
operating system. 

Once execution of the installation program has 
completed, the model reflects a state functionally 
equivalent to that of the client computer if the client 
computer had executed installation program. The state 
of the model and the state the client computer would 
have had if the installation program were executed need 
not be identical, but are equivalent from the 
perspective of the virus scanning software. For 
example, the virus scanning software may not attempt to 
duplicate all the display drivers that are installed on 
a non-standard workstation since these drivers might be 
dynamically loaded at execution time from a LAN or from 
a removable mass storage device. Consequently, the 
model and the client might not assume identical states, 
but would have states that were functionally equivalent 
as far as the virus scanning software is concerned. 

Referring back to FIG. 4, the method includes a 
step of scanning or otherwise screening the model for 
at least one virus, as indicated by block 220. Any of 
a variety of virus screening methods can be performed 
in this step. The results of this step are 
communicated to the end user. The end user can decide 
whether to accept or reject the computer data based 
upon the results. If the end user accepts the computer 
data, the computer data is transmitted to the client 
computer. Thereafter, the client computer can execute 
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the installation program to proceed with the- 
installation process . 

It is noted that if the model either equivalently 
models or substantially equivalently models the client 
computer, there is no need for the client computer to 
perform the installation process. Instead, changes to 
the model can be communicated to client computer. In 
this case, the changes to the model can be written to 
the client computer using either no explicit 
installation program or a much simplified installation 
program. A case in which the model may significantly 
differ from the client computer is when changes are 
made to the client computer while the virus-screening 
processor is scanning the computer data. 

A simplified installation program can be created 
and communicated to the client computer as follows. 
Handshake packets for the original installation program 
which indicate, for example, a number of packets to 
expect in a download and error correction/detection 
information, are intercepted by the virus screening 
processor. The virus screening processor creates a new 
installation program to be sent in addition to an 
executable program. The new installation program 
provides information for changing other system files in 
accordance with the instructions included in the 
original installation program. 

Advantageously, the new installation program may 
contain less data than the original installation 
program, although additional data may be required for 
the executable program. In some cases, the need for a 
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new installation program may be eliminated. For 
example, an ANSI -standard C program than only needs to 
be decompressed and is always put in some known 
standard directory on the client computer may not 
require an installation program. 

The virus screening processor creates new 
handshake packets for the new data payioad comprised oi 
the new installation program and the executable 
program. The new handshake packets and the new data 
payioad can then be communicated to the client 
computer. Preferably, the virus screening processor 
provides proxy server functionality to effectuate this 
process . 

Once received at the client computer, the new 
installation program can be executed. In some cases, 
the installation is performed manually either by 
relying on an end user's general knowledge of how a new 
program can be made accessible to the system or by 
providing explicit installation instructions. In these 
cases, the installation instructions in the new 
installation program can include installation 
instructions provided by the original installation 
program. Alternatively, the new installation program 
can provide modified installation instructions created 
using well-understood procedures. 

In other cases, the installation process is either 
partially or wholly automatic. In these cases, the 
original installation process can be forwarded, or a 
new installation process can be created using well- 
understood procedures. 
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FIG. 6 is a flow chart of an embodiment cf a 
process to intercept and fulfill a read request. The 
process can be performed within the seeps indicated by- 
blocks 214 and 216 described with reference to FIG. 5. 
The process can be performed by a subroutine of a main 
virus-screening program. 

In a simple read step, the installation program 
asks that a specified range of memory locations or 
addresses, either in RAM (random access memory) or some 
other memory device, be read. The hereinafter- 
described process is performed for each address to be 
read . 

As indicated by block 250, the process includes a 
step of testing or otherwise determining if the address 
is represented in the model.- If the address is not 
represented in the model, then a step of retrieving a 
value of the address from either a stored image of the 
client computer or from the client computer itself is 
performed (as indicated by block 252). Thereafter, 
steps of copying or otherwise storing the value to the 

model (as indicated by block 254) and marking the 
address as being represented in the model (as indicated 

by block 256) are performed. 

The process includes a step of retrieving the 

value of the address from the model (as indicated by 

block 260). A step of returning the value is performed 
(as indicated by block 262) to satisfy the request from 

the installation program. 

The aforementioned simple read process can be 

augmented to perform a read-with-consequences process. 
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The read-with-consequences process further includes on 
or more system action steps such as changing pointers, 
or incrementing or decrementing counters. The 
extrapolation of the aforementioned simple read proces 
to a read-with-consequences process is clear from well 
known principles of software emulation. 

FIG. 7 is a flow chart of an embodiment of a 
process to intercept and fulfill a write request. The 
process can be performed within the steps indicated by 
blocks 218 and 219 described with reference to FIG. 5. 

In a simple write step, the installation program 
asks that a specified range of memory locations or 
addresses, either in RAM or some other memory device, 
be written. The hereinafter-described process is 
performed for each address to be written. 

As indicated by block 300, the process includes a 
step of testing or otherwise determining if the address 
is represented in the model. If the address is not 
represented in the model, then steps of representing 
the address in the model (as indicated by block 302) 
and marking the address as being represented in the 
model (as indicated by block 304) are performed. Once 
the address is represented in the model, a step of 
writing the value to the representation of the address 
in the model is performed (as indicated by block 306) . 

The aforementioned simple write process can be 
augmented to perform a write-with-consequences process. 
The write-with-consequences process further includes 
one or more system action steps such as changing 
pointers, or incrementing or decrementing counters. 
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Another example of a system action seep includes 
triggering an interrupt or another system action in 
response to writing to one of a plurality of special 
addresses monitored by the operating system. The 
extrapolation of the aforementioned simple write 
process to a write-with-conseguences process is clear 
from. well-known principles of software emulation. 

Although the processes described with reference to 
FIGS. 6 and 7 are based upon intercepting read and 
write requests at a low level of computing abstraction, 
it is noted that requests at any level (e.g. a higher 
level such as the level of operating system calls) can 
be intercepted using well-known methods of software 
emulation. Regardless of the level of abstraction, the 
installation program builds its environmental requests 
from basic steps including a simple read step, a simple 
write step, a read-with-consequences step, and a write- 
with-consequences step. 

Many variations of the herein-described 
embodiments of the present invention can be formulated. 
In cases where a telephone line is used for both data 
communication and voice communication, the herein- 
described methods and systems can be modified to 
determine if a call is a voice call or a data call, to 
disable virus screening for the voice call, and to 
enable virus screening for the data call. 

A further variation is to have the virus screening 
service be an on-demand service as an alternative to or 
in addition to being a subscription service. In this 
case, the end user can prefix the dialing digits of a 
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data call with a code to enable screening. The code 
can have the form of *NN, where each N indicates a 
corresponding dialing digit. The end user may omit the 
*NN code when placing a voice call or calling a trusted 
data source. The herein-described methods and systems 
can be modified to detect the *NN code to enable virus 
screening . 

It is noted that the herein-described methods and 
systems can use a data decompressor to decompress data. 
Once decompressed, the data can be screened for 
viruses. Thereafter, a data compressor can compress 
the data to communicate to a receiving party. 
Similarly, the herein-described methods and systems can 
decrypt data prior to virus screening. This is 
beneficial for .detecting newer varieties of viruses 
which are present on encrypted data, and may be 
undetectable until decrypted. Thereafter, the data can 
be encrypted back to its original form if no virus is 
present . 

It is also noted that virus screening can be 
performed on an entire file before communicating the 
file to a receiving party. Alternatively, the virus 
screening can be performed in-line by partitioning the 
file into small blocks of data, screening each, block of 
data, and communicating each virus-free block data upon 
being screened. As is apparent from the embodiment 
described with reference to FIG. 4, before any block of 
data can be declared virus-free, it may be necessary to 
examine one or more succeeding blocks since a virus 
signature could extend over several blocks of data. 
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As another variation, the herein-described methods 
and systems can allow virus screening to be enabled and 
disabled one or more times during a single session. in 
this case, the virus-screening processor can receive an 
enable message or a disable message from either the 
transmitting party or the receiving party. The virus- 
detecting processor enables virus screening in response 
to receiving the enable message, and disables virus 
screening in response to receiving the disable message. 
Typically, the enable message or the disable message is 
generated by the computer of the receiving party. 

It is further noted that the herein-described 
methods and systems can perform virus screening 
separately on each of a plurality of virtual channels 
included in an interactive session. In this case, 
received data are separated into logical streams, and 
each stream is independently screened. Virus-free 
streams are reconstructed prior to communicating the 
data to the receiving party. In this way, the system 
is operative when there are multiple data streams 
defined between a client and a server. 

Many applications that use TCP/IP include a 
provision for a version of the Berkeley UNIX "sockets" 
API to establish multiple data streams from one or more 
servers to the client. There are also Remote Procedure 
Calls API developed by Sun Microsystems for this 
purpose. Along with the herein-described protocol 
analysis, steps of examining the information requests 
and responses to detecting opening and closing of 
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sockets (or their equivalents) are performed in these 
cases to segregate a data stream into logical channels. 

Still further, it is noted that the virus 
screening methods and systems described in U.S. Patent 
Nps. 5,319,776 and 5,623,600, which are hereby 
incorporated by reference into this disclosure, can be 
used in embodiments of the present invention. 

It is also noted that each of the methods 
described herein can be directed by an article of 
manufacture comprising a computer-readable storage 
medium and computer-readable data stored thereby. 
Examples of the article include an electronic storage 
medium having electronic data, a magnetic storage 
medium having magnetic data, and an optical storage 
medium having optical data. 

FIGS. 8 to 11 show alternative embodiments of 
virus screening systems. These virus screening systems 
include a service bureau to perform the herein- 
described virus screening methods. 

FIG. 8 is a schematic diagram of a first 
alternative embodiment of a virus screening system. A 
user computer 400 having a modem 402 communicates with 
a modem 404 associated with an internet service 
provider 406. The modems 402 and 404 communicate via a 
public switched telephone network 410. Other 
connection means such as an integrated service digital 
network (ISDN), a digital subscriber line (DSL), or 
cellular data can be used to link the user computer 400 
to the internet service provider 406. 

The internet service provider 406 communicates 
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with a data source 412 via the Internet 414. The 
internet service provider 406 includes a service bureau 
420 to download data from the data source 412 as 
requested by the user computer 400. The service bureau 
420 screens the data for at least one virus, and 
communicates the data to the user computer 400 if no 
viruses are detected. 

FIG. 9 is a schematic diagram of a second 
alternative embodiment of a virus screening system. A 
user computer 450 having a modem 452 communicates with 
a modem 4 54 associated with a gateway 4 56. The modems 
452 and 454 communicate via a public switched telephone 
network 4 60 or another connection means. 

The gateway 456 communicates with a plurality of 
internet service providers 462. The internet service 
providers 462 are in communication with the Internet 
464. The gateway 456 provides a service bureau to 
download data from the Internet 4 64 via at least one of 
the internet service providers 4 62 as requested by the 
user computer 450. The service bureau screens the data 
for at least one virus, and communicates the data to 
the user computer 450 if no viruses are detected. 

FIG. 10 is a schematic diagram of a third 
alternative embodiment of a virus screening system. A 
user computer 500 having a modem 502 communicates with 
a modem 504 associated with an internet service 
provider 506. The modems 502 and 504 communicate via a 
public switched telephone network 510 or another 
connection means. 

The internet service provider 506 communicates 
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with a service bureau 512 via the Internet: 514. The 
service bureau 512 receives downloaded data from a data 
source 516 as requested by the user computer 500. The 
service bureau 512 screens the data for at least one 
virus, and communicates the data to the internet 
service provider 506 if no viruses are detected. The 
internet service provider 506, in turn, communicates 
the data to the user computer 500 if no viruses are 
detected. 

FIG. 11 is a schematic diagram of a fourth 
alternative embodiment of a virus screening system. A 
plurality of user computers 550 communicate with a 
service bureau 552 via a local area network 554. The 
service bureau 552 has an associated modem 556 to 
communicate with a modem 560 associated with a data 
source 562. The modems 556 and 560 communicate via a 
public switched telephone network 564 or another 
connection means. The plurality of user computers 550 
share access to the service bureau 552 to screen data 
from the data source 562. The service bureau 552 
routes screened data to one or more of the user 
computers 550 which made a request therefor. 

It is noted that a network-based virus screening 
device (i.e. a service bureau) can actively communicate 
with software loaded into a user computer. If the 
network-based virus screening device maintains 
PPP/IP/TCP stacks, the network-based virus screening 
device can insert IP packets in the PPP stream to the 
user computer and can receive packets addressed thereto 
without passing the packets to the ISP. Using this 
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approach, a private communication channel can be 
established with the user computer. If the 
computational complexity of this approach is excessive, 
the user computer can communicate a message to the 
network-based virus screening device to selectively 
activate the virus screening (such as when downloading 
a file which potentially has a virus) . 

It is noted that by establishing a private 
communication channel, a graphical window associated 
with the virus screening service can be open on a 
graphical desktop of the user computer. An information 
stream separate from data generated during an Internet 
session can be displayed within the graphical window. 
The graphical window can include graphical buttons 
which can be user-selected to interact with the virus 
screening service. The size of the graphical window, 
the number of graphical buttons, and a rate of updating 
the information can be selected by the virus screening 
service. The information can include headlines, 
interactive advertisements, emergency warning messages, 
and the like. Optionally, the information can be 
communicated only when the communication associated 
with the Internet session is idle. 

Thus, there has been described herein a concept, 
as well as several embodiments including preferred 
embodiments of a computer virus screening methods and 
systems . 

Because the various embodiments of the present 
invention screen computer data for viruses in a 
telephone network, they provide a significant 
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improvement in that end users can download computer 
data via the telephone network without concern of 
receiving various predetermined computer viruses. 

Additionally, the virus screening methods and 
systems can examine data unidirectionally (in either 
direction) or bidirectionally between two parties. A 
party calling a dial-up service such as an Internet 
Service Provider or a Bulletin Board Service may elect 
to only screen data that flows from the service to its 
computer. An ISP or a BBS may elect bidirectional 
screening for transmitted files and received files. 

Further, embodiments of the present invention 
create models of end users' computers for use in virus 
screening. Using a model, an installation program 
detects and alters an emulated environment of the end 
user's computer without actually altering the end 
user's computer. 

Still further, by installing downloaded data using 
the virus-screening processor, viruses can be detected 
in installed data (which may differ from the downloaded 
data) . Scanning for viruses in the installed data is 
advantageous because an installation program may 
rearrange segments of the downloaded data to make a 
virus undetectable by scanning the downloaded data. 

It will be apparent to those skilled in the art 
that the disclosed invention may be modified in 
numerous ways and may assume many embodiments other 
than the preferred form specifically set out and 
described above. 
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Accordingly, it is intended by the appended c 
to cover all modifications of the invention which 
within the true spirit and scope of the invention. 

What is claimed is: 



